Powered by Google www.ChineseStandard.net Database: 189759 (7 Apr 2024)

GB/T 22081-2016 (GB/T22081-2016)

Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 22081-2016English370 Add to Cart 0-9 seconds. Auto-delivery. Information technology -- Security techniques -- Code of practice for information security controls Valid


Standards related to: GB/T 22081-2016

GB/T 22081-2016: PDF in English (GBT 22081-2016)

GB/T 22081-2016
Information technology - Security techniques - Code of practice for information security controls
ICS 35.040
L80
National Standards of People's Republic of China
Replacing GB/T 22081-2008
Information Technology Security Technology
Information Security Control Practice Guide
(ISO /IEC 27002..2013, IDT)
2016-08-29 released
2017-03-01 Implementation
General Administration of Quality Supervision, Inspection and Quarantine of People's Republic of China
China National Standardization Administration released
Directory
Foreword Ⅲ
Introduction IV
0.1 Background and Environment Ⅳ
0.2 Information Security Requirements Ⅳ
0.3 Control Selection Ⅴ
0.4 Preparation of the organization's own guidelines Ⅴ
0.5 life cycle considerations Ⅴ
0.6 Relevant standard Ⅴ
1 range 1
2 Normative references 1
3 Terms and definitions 1
4 standard structure
Section 4.1
4.2 Control Category 1
5 Information Security Strategy 2
5.1 Information Security Management Guide 2
Information Security Organization 3
6.1 Internal Organization 3
6.2 Mobile Devices and Remote Work 5
7 Human Resources Security 7
7.1 Before Appointment
7.2 Appointment 8
7.3 Termination and Change of Appointments
Asset Management 10
8.1 Responsibilities relating to assets 10
8.2 Information Classification 11
8.3 Media Handling 13
Access Control
9.1 Access Control Business Requirements 14
9.2 User Access Management 15
9.3 User Responsibilities 18
9.4 System and Application Access Control 19
10 password 21
10.1 Password Control 21
Physical and Environmental Safety 23
11.1 Safety Zone 23
11.2 Equipment 25
12 Operational safety 28
12.1 Operational Procedures and Responsibilities
12.2 Malware Prevention 30
12.3 Backup 31
12.4 Logs and Surveillance 32
12.5 Running Software Control 34
12.6 Technical Vulnerability Management 34
12.7 Information System Audit Considerations 36
Communication Security 36
13.1 Network Security Management
13.2 Information Transmission 38
System Acquisition, Development and Maintenance 40
14.1 Information System Security Requirements 40
14.2 Security During Development and Support 42
14.3 Test Data 45
Supplier Relations 46
15.1 Information Security in Supplier Relationships 46
15.2 Supplier Service Delivery Management 48
Information Security Incident Management 49
16.1 Management and Improvement of Information Security Incidents 49
Information security aspects of business continuity management 52
17.1 Continuity of Information Security 52
17.2 Redundancy 54
Compliance 54
18.1 Compliance with law and contractual requirements 54
18.2 Information Security Review 56
References 65
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
This standard replaces GB/T 22081-2008 "Information Technology Security Information Security Management Practical Rules."
This standard compared with GB/T 22081-2008, the main technical changes are as follows.
--- Structural changes in Appendix NA;
--- The term changes in Appendix NB.
This standard uses the translation method identical with ISO /IEC 27002..2013 "Information Technology Security Technology Information Security Control Practices
South "and its corresponding technical corrigendum (ISO /IEC 27002..2013/COR1..2014).
The documents of our country that are consistent with the corresponding international documents that are normative references in this standard are as follows.
--- GB/T 29246-2012 Information Technology Security Technology Information Security Management System Overview and Glossary (ISO /IEC 27000.
2009, IDT).
This standard made the following editorial changes.
--- Increased information appendix NA;
--- Added information appendix NB.
Please note that some of this document may be patentable. The issuing agencies of this document do not bear the responsibility of identifying these patents.
This standard by the National Information Security Standardization Technical Committee (SAC/TC260) and focal point.
This standard was drafted. China Electronics Standardization Institute, CLP Great Wall Internet System Application Co., Ltd., China Information Security
Card Center, Shandong Provincial Institute of Standardization, Guangzhou 赛 Po Certification Center Services Ltd., Beijing Jiangnan Tian An Technology Co., Ltd., Shanghai three zero
Guardian Information Security Co., Ltd., China National Accreditation Service for Conformity Assessment, Beijing Sunway Information Technology Co., Ltd., Heilongjiang E-mail
Products Surveillance and Inspection Institute, Zhejiang Yuanwang Electronics Co., Ltd., Hangzhou letter Technology Co., Ltd.
The main drafters of this standard. Xu Yuna, Shanggong Xiaoli, Min Jinghua, in particular, the public, Lu Lvwen, Ni Wenjing, Wang Lianqiang,
Yu Jingtao, Fu Zhi Gao, Zhao Yingqing, Lu Pu Ming, Wang Shuguang, Yu Zhonghua, Han Shuoxiang, Wei Jun, Cheng Yuqi, Kong Xianglin, Wu Minhua, Li Hua, Li Yang.
This standard replaces the standards previously issued as follows.
--- GB/T 22081-2008.
introduction
0.1 background and environment
This standard can be used as an organization's reference when choosing control in the process of information security management system (ISMS) based on GB/T 22080 [10]
Or as a guide to organizations in implementing universal information security controls. After considering the specific information security risk environment, this standard can also be used for the system
Guide to information security management for specific industries and specific organizations.
Organizations of all types and sizes (including the public and private sectors, business organizations, non-profit organizations) collect, process, store and disseminate
Input includes various forms of information such as electronic, physical and speech (eg, talks and speeches).
The value of information transcends words, numbers, and images themselves. For example, knowledge, concepts, opinions, and brands are all intangibles. In the world of interconnection
For the organization of business, information and related processes, systems, networks, and the personnel involved in its operations, handling and protection activities are all capital
Production, like other important business assets, is crucial to the business of the organization and therefore worth or needed to be protected against all hazards.
Assets are subject to both deliberate and accidental threats; and the associated processes, systems, networks and personnel are inherently vulnerable. Business process and
System changes or other external changes (such as new laws and regulations) may create new information security risks. Therefore, taking into account the threat of the use of crisp
Weaknesses damage the organization a variety of ways, the risk of information security has always existed. Effective information security enables groups through prevention of threats and vulnerabilities
Weaves are protected to reduce risk, thereby reducing the impact on their assets.
Information security can be achieved by implementing a set of appropriate controls, including policies, procedures, procedures, organizational structure, and hardware and software capabilities. If necessary
Establish, implement, monitor, review, and improve these controls to ensure they meet the organization's specific safety and business objectives. GB/T 22080 [10]
The prescribed ISMS takes an overall, coordinated view of the organization's information security risk so that it can be implemented within the overall framework of a consistent management system
Now a comprehensive set of information security control.
From the perspective of GB/T 22080 [10] and this standard, many information systems are not designed to be safe. Available through technical means
Security is limited and should be supported through appropriate management and procedures. Determine what controls should exist, which requires careful planning and careful attention
Festival. A successful information security management system needs the support of all employees within the organization, the shareholders, suppliers or other external parties
Participation also requires expert advice from outside parties.
More generally, effective information security also assures managers and other stakeholders that the organization's assets are reasonably secure and subject to
Until protection is not compromised, its role is the same as business enabler.
0.2 Information Security Requirements
It is necessary for the organization to identify its safety requirements. The three main sources of safety requirements are.
a) Assess organizational risk by considering the overall business strategy and objectives of the organization. Through risk assessment, identify the threats to the assets,
Assess the vulnerability of vulnerable applications and the likelihood of their occurrence, and estimate the potential impact;
b) the laws, regulations, rules and regulations and contractual requirements that the organization and its trading partners, contractors and service providers must meet, and his
Their social and cultural environment;
c) Principles, objectives and business requirements established by the organization to support its operations, its handling, handling, storage, communication and archiving of information.
The resources used to control it must be weighed against the security issues resulting from the lack of these controls and the potential business hazards. wind
The results of the risk assessment will help to guide and identify appropriate management measures, prioritization of information security risk management, and prevention of these risks
The priority of the selected control.
ISO /IEC 27005 [11] provides information security risk management guidelines, including risk assessment, risk management, risk acceptance, risk communication,
Risk monitoring and risk assessment of all aspects of the proposal.
0.3 control of choice
Controls may be selected from this or other control sets or, where appropriate, new controls designed for specific needs.
The choice of control depends on the organization's decision making, which is based on the risk acceptance criteria, the risk options, the generic risk management used by the organization
Method; the choice of control must also comply with all relevant national laws and regulations. The choice of control at the same time also depends on how the interaction is controlled
For defense in depth.
Some of the controls in this standard can be used as guidelines for information security management and can be used by most organizations. At each control
Under, gives its detailed implementation guide. See the disposal options for more detailed information on selection controls and other risks
ISO /IEC 27005 [11].
0.4 Compile the organization's own guidelines
This standard serves as a starting point for organizations to develop their own specific guidelines. For an organization, the controls and guidelines in this standard are not all suitable
use. In addition, may also need to add some does not included in the standard control and guidance. When developing contains some added controls and guidelines
It may be useful to give some cross-references to the clauses of this standard when it comes to organizational documentation to support auditors and business partners
Compliance check.
0.5 life cycle considerations
Information has its inherent life cycle, from its creation and generation, to its final destruction or disappearance through storage, processing, use and transmission.
The value of information assets and the risks they face may change over their lifecycle (eg, theft of a company's accounts after their official publication
And the harm caused by unauthorized leaks will be greatly reduced), there is a certain degree of importance of information security at all stages.
The life cycle of an information system includes the concept, protocol, design, development, testing, implementation, use, maintenance, and eventual decommissioning and destruction. In every
One phase should take into account the information security. Information security should be considered at each stage. Develop new systems or make changes to existing systems,
This provides an opportunity for organizations to upgrade and improve security controls, taking into account actual security incidents and current and projected information security risks.
0.6 related standards
This standard provides a corresponding guideline for a wide range of information security control sets common to different organizations; and information security management
Other standards in the family of standards provide additional advice or requirements on other aspects of the overall management of information security.
For a general introduction to the standards for information security management systems, see ISO /IEC 27000. The glossary provided in ISO /IEC 27000 was finalized
Most of the terms used in information security management system standards describe the scope and goals of each standard.
Information Technology Security Technology
Information Security Control Practice Guide
1 Scope
This standard provides guidelines for the organization's information security standards and information security management practices, including the organization of information security risk ring
Environment control of the choice, implementation and management.
This standard is designed to organize.
a) Selection control, that is, selection control based on GB/T 22080 [10] in the process of implementing an information security management system;
b) to achieve universal, acceptable information security control;
c) Develop an organization's own guidance on information security management.
2 Normative references
The following documents for the application of this document is essential. For dated references, only the dated version applies to this article
Pieces. For undated references, the latest edition (including all amendments) applies to this document.
ISO /IEC 27000 information technology security technology information security management system overview and vocabulary (Informationtechnology-
Security technologies - Information security systems systems - Overview and vocabulary.
3 Terms and definitions
ISO /IEC 27000 defined terms and definitions apply to this document.
4 standard structure
This standard includes 14 safety control chapters, contains a total of 35 major safety categories and 114 controls.
Section 4.1
Define each chapter of safety controls, containing one or more major safety categories.
The order of the chapters in this standard does not indicate its importance. Depending on the circumstances, safety control in any or all sections is possible
Is important, so every organization that applies this standard should identify the controls that are applicable, how important these controls are, and how they are used
To each business process. In addition, the list of this standard has no priority.
4.2 Control Category
Each of the major safety control categories includes.
a) a control goal that states what is to be achieved;
b) One or more controls that can be used to achieve this control objective.
The description of the control structure is as follows.
control
To meet the control objectives, give a statement that defines a specific control.
Realize the guide
To support the realization of this control and meet the control objectives, provide more detailed information. This guide may not be entirely applicable or inadequate
In all cases, it may or may not meet the organization's specific control requirements.
other information
Provide further information to consider, such as legal considerations and references to other standards. If there is no other information, this will be
Not given.
5 information security strategy
5.1 Information Security Management Guidance
Goals. Based on business requirements and relevant laws and regulations, provide management guidance and support for information security.
5.1.1 Information Security Policy
control
Information security policy sets should be defined, approved by the manager, and published, communicated to all employees and external parties.
Realize the guide
At the highest level, the organization should define an "information security policy" that should be approved by management and establish an organization that manages its information
The safety goal of the method.
Information security policy should be concerned about the following requirements.
a) business strategy
b) laws, regulations and contracts;
c) The current and expected information security threat environment.
This information security policy should include statements regarding.
a) definition of information security, goals and principles to guide all information security related activities;
b) Assign general and specific responsibilities for information security management to defined roles;
c) Handling deviations and surprises.
At a lower level, this information security strategy should be supported by a thematic-specific strategy that further mandates information
Security controls are implemented and are often structured to emphasize the needs of certain target groups within the organization or to cover certain topics.
For example, such strategic topics include.
a) Access Control (see Chapter 9);
b) Classification (and processing) of information (see 8.2);
c) Physical and Environmental Safety (see Chapter 11);
d) Strategies for end-users, such as.
1) Acceptable use of assets (see 8.1.3);
2) Desktop and screen cleaning (see 11.2.9);
3) Information transmission (see 13.2.1);
4) mobile devices and remote work (see 6.2);
5) software installation and its use restrictions (see 12.6.2);
e) backup (see 12.3);
f) Information transmission (see 13.2);
g) malware prevention (see 12.2);
h) Technical vulnerability management (see 12.6.1);
i) password control (see Chapter 10);
j) Communication security (see chapter 13);
k) Protection of privacy and its personally identifiable information (see 18.1.4);
l) Supplier relationships (see Chapter 15).
These strategies should be communicated to employees and external parties in a form that is accessible, accessible and understandable to the intended reader, for example,
Safety awareness, education and training "(see 7.2.2).
other information
The need for internal information security policies varies by organization. Internal strategies are especially useful for large and complex organizations when these groups
The people in the organization who identify and approve the control of the expected level are separated from those who control it, or when the internal strategy is applied at a different organizational
People or functions, it is also very useful. Information security policies can be published as a single "information security policy" document or as a
Unpredictable but related to a set of documents published in the form.
If information security policies are distributed outside the organization, care should be taken not to disclose confidential information.
Some organizations use other terms for these policy files, such as "standards" or "rules."
5.1.2 Information Security Strategy Review
control
Information security strategy reviews should be conducted at planned intervals or when significant changes occur to ensure their continued suitability, adequacy
And effectiveness.
Realize the guide
Each strategy should have a person responsible for the formulation of his strategy, evaluation and evaluation has been approved management responsibilities. The review should include the evaluation team
Weaving Strategies and Information Security Management Methods Improve opportunities to adapt to changes in the organization's environment, business conditions, laws and regulations or the technology environment.
Information security strategy reviews should consider the results of the management review.
Management should be approved for the revised strategy.
6 Information Security Organization
6.1 Internal Organization
Objective. To establish a management framework to initiate and control the implementation and operation of information security within the organization.
6.1.1 Information Security Role and Responsibilities
control
All information security responsibilities should be defined and assigned.
Realize the guide
The allocation of information security responsibilities should be consistent with the information security policy (see 5.1.1). The responsibility to protect each asset and enforce specific security
The responsibility of the process should be clearly identified. It is appropriate to define the responsibility for information security risk management activities, in particular, to accept residual risks. must
Where appropriate, more detailed guidance should be provided on site-specific and information processing facilities responsibilities. It is appropriate to define local asset protection and enforcement specific
Responsibility for the safety process.
Individuals assigned the responsibility for information security can delegate security tasks to other people. In spite of this, they are still responsible and
And they should determine if any of the delegated tasks have been properly implemented.
Should indicate the area of individual responsibility. In particular, the following should be done.
a) identify and define asset and information security processes;
b) the entity responsible for the designation of each asset or safety process and the details of which are to be documented (see 8.1.2);
c) define the level of authority and form a document;
d) Appointed individuals should have the capacity in the area of information security and be given the opportunity to follow up on developments that will enable them to fulfill their information
Safety field responsibility;
e) The monitoring and coordination of information security in supplier relationships should be identified and documented.
other information
In many organizations, an information security manager will be appointed to be fully responsible for secure development and implementation and to support the identification of controls.
However, the responsibility to provide control of resources and to achieve these controls is often attributed to individual managers. A common practice is for each one
Assets Designate a responsible person for the day-to-day protection of the asset.
6.1.2 separation of duties
control
It is appropriate to separate the responsibilities of conflict and their areas of responsibility in order to reduce the chance of unauthorized or unintentional changes or improper use of the assets of the organization.
Realize the guide
It should be noted that no one can access, modify and use the asset without authorization or monitoring. Should put an activity started with
Its authorization phase separated. In designing this control, the possibility of collusion should be considered.
Small organizations may find it difficult to achieve such segregation of duties, but whenever possible and feasible, the principle should be applied as much as possible. in case
Difficult to separate, other controls should be considered, such as monitoring of activities, audit trails and regulatory oversight.
other information
Duties separation is a way to reduce the risk of accidental or deliberate abuse of organizational assets.
6.1.3 Contact with functional agencies
control
Appropriate linkages with relevant functional agencies should be maintained.
Realize the guide
The organization should have procedures that indicate when and which functional agency (eg, law enforcement, regulatory, regulatory authorities) to contact, and
How to report identified information security incidents in a timely manner (eg, identified information security incidents may be in breach of law).
other information
An attacker from the Internet may need a functional agency to take action against the attacker.
Maintaining such links may be in support of Information Security Incident Management (Chapter 16) or Business Continuity and Contingency Planning (Chapter 17)
Request. Contact with the regulatory authorities also helps to anticipate the anticipated changes in laws and regulations that organizations must implement and to make advance
ready. Connections to other sectors include utilities, emergency services, power supply, health and safety sectors such as fire stations
Continuity), telecom providers (related to routing and availability), water departments (related to equipment cooling).
6.1.4 Contact with specific stakeholders
control
Appropriate links with specific stakeholders, other professional security forums and professional associations should be maintained.
Realize the guide
Consideration should be given to using the relationship of a particular stakeholder or forum member as a means of.
a) to promote best practice knowledge and to keep abreast of the latest relevant safety information;
b) ensure that an informed information security environment is up-to-date and comprehensive;
c) Obtain previous warnings, bulletins and patches on attacks and vulnerabilities;
d) get advice from information security experts;
e) share and exchange information on new technologies, products, threats or vulnerabilities;
f) Provide appropriate contact points when dealing with information security incidents (Chapter 16).
other information
Information sharing protocols can be established to improve coordination and coordination of security issues. Such an agreement should identify the relevant protection of confidential information
Claim.
6.1.5 Information Security in Project Management
control
Should be concerned about the project management information security issues, no matter what type of project.
Realize the guide
Information security should be integrated into the organization's project management approach as part of a project to ensure that information security is identified and emphasized
risk. This generally applies to all projects, regardless of their characteristics, such as core business processes, IT, facilities management and other support processes
And other aspects of the project. The project management method used should require.
a) Information security goals are included in project goals;
b) To identify the necessary controls, an information security risk assessment should be conducted at an early stage of the project;
c) Information Security as part of each phase of the project management methodology used.
Information security issues should be addressed and regularly reviewed in all projects. It is advisable to define information security responsibilities and assign them to project management methods
In the definition of specific roles.
6.2 Mobile devices and remote work
Objective. To ensure the safety of mobile devices working remotely and their use.
6.2.1 Mobile Device Policy
control
Appropriate strategies and their supporting security measures should be adopted to manage the risks posed by the use of mobile devices.
Realize the guide
When using mobile devices, special care should be taken to ensure that business information is not compromised. Mobile device strategies should consider unprotected environments
The risk of working with mobile devices.
Mobile device strategy should consider.
a) registration of mobile devices;
b) physical protection requirements;
c) software installation restrictions;
d) Mobile device software version and application patch requirements;
e) restrictions on access to information services;
f) access control
g) cryptography
h) malware prevention
i) remotely disable, delete or lock;
j) backup;
k) Use of Web Services and Web Applications.
Care should be taken when using mobile computing devices in public places, meeting rooms and other unprotected areas. To avoid unauthorized access
Asking or disclosing information stored and processed by these devices should be properly protected, for example using cryptographic techniques (see Chapter 10) and mandatory
Secret identification information (see 9.2.4).
Mobile devices should also be physically protected from theft, for example, especially on vehicles and other means of transport
Hall, conference center and conference room. It is advisable to establish a legal, insurance and other organization for theft or loss of mobile devices
Specific rules for safety requirements. Devices that carry important, sensitive or critical business information should not be unattended, and if possible should be physically based
Lock it or use a special lock to protect the device.
Staff using mobile devices should be trained to increase their added risk to the way this work is done and the controls
System of understanding.
When mobile device policies allow the use of private mobile devices, policies and related security measures should consider.
a) the separation of private and business use of equipment, including the use of software to support such separation and protection of business data on private equipment;
b) Access to business information is provided only if the user signs an end-user agreement to be aware of their responsibilities (physical protection, software upgrades
Level, etc.); Abandon ownership of business data; Allow organizations to remotely wipe data when the device is stolen or lost, or no longer authorized to use
The service. This strategy needs to consider privacy laws and regulations.
other information
Wireless connections to mobile devices are similar to other types of network connections, but important differences between the two should be considered when determining controls. typical
The difference is.
a) Some wireless security protocols are immature and have known vulnerabilities;
b) because of the limited network bandwidth or because the mobile device fa...
......